Fix CVEs and bump receptorctl (#14925)

CVE-2023-47627 CVE-2023-49083 CVE-2023-41040 CVE-2024-22195 CVE-2023-46137
2026-01-09 23:12:08 -03:30 · 2024-02-26 10:48:38 -05:00 · 2024-02-26 10:48:38 -05:00 · 88e406e121
commit 88e406e121
parent 59d0bcc63f
2 changed files with 16 additions and 18 deletions
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@ -1,4 +1,4 @@
-aiohttp
+aiohttp>=3.8.6  # CVE-2023-47627
 ansiconv==1.0.0  # UPGRADE BLOCKER: from 2013, consider replacing instead of upgrading
 asciichartpy
 asn1
@ -8,7 +8,7 @@ boto3
 botocore
 channels
 channels-redis==3.4.1  # see UPGRADE BLOCKERs
-cryptography>=41.0.2  # CVE-2023-38325
+cryptography>=41.0.6  # CVE-2023-49083
 Cython<3 # this is needed as a build dependency, one day we may have separated build deps
 daphne
 distro
@ -26,15 +26,15 @@ django-split-settings==1.0.0    # We hit a strange issue where the release proce
 djangorestframework
 djangorestframework-yaml
 filelock
-GitPython>=3.1.32  # CVE-2023-40267
+GitPython>=3.1.37  # CVE-2023-41040
 hiredis==2.0.0  # see UPGRADE BLOCKERs
 irc
-jinja2
+jinja2>=3.1.3  # CVE-2024-22195
 JSON-log-formatter
 jsonschema
 Markdown  # used for formatting API help
 openshift
-pexpect==4.7.0 # see library notes
+pexpect==4.7.0  # see library notes
 prometheus_client
 psycopg
 psutil
@ -49,20 +49,20 @@ pyyaml>=6.0.1
 receptorctl
 social-auth-core[openidconnect]==4.4.2  # see UPGRADE BLOCKERs
 social-auth-app-django==5.4.0  # see UPGRADE BLOCKERs
-sqlparse >= 0.4.4   # Required by django https://github.com/ansible/awx/security/dependabot/96
+sqlparse>=0.4.4   # Required by django https://github.com/ansible/awx/security/dependabot/96
 redis
 requests
 slack-sdk
 tacacs_plus==1.0  # UPGRADE BLOCKER: auth does not work with later versions
 twilio
-twisted[tls]
+twisted[tls]>=23.10.0  # CVE-2023-46137
 uWSGI
 uwsgitop
-wheel>=0.38.1 # CVE-2022-40898
+wheel>=0.38.1  # CVE-2022-40898
 pip==21.2.4  # see UPGRADE BLOCKERs
 setuptools  # see UPGRADE BLOCKERs
 setuptools_scm[toml]  # see UPGRADE BLOCKERs, xmlsec build dep
-setuptools-rust >= 0.11.4 # cryptography build dep
+setuptools-rust>=0.11.4  # cryptography build dep
 pkgconfig>=1.5.1  # xmlsec build dep - needed for offline build

 # Temporarily added to use ansible-runner from git branch, to be removed
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@ -1,6 +1,6 @@
 adal==1.2.7
    # via msrestazure
-aiohttp==3.8.3
+aiohttp==3.9.3
    # via -r /awx_devel/requirements/requirements.in
 aioredis==1.3.1
    # via channels-redis
@ -70,14 +70,12 @@ channels==3.0.5
 channels-redis==3.4.1
    # via -r /awx_devel/requirements/requirements.in
 charset-normalizer==2.1.1
-    # via
-    #   aiohttp
-    #   requests
+    # via requests
 click==8.1.3
    # via receptorctl
 constantly==15.1.0
    # via twisted
-cryptography==41.0.3
+cryptography==41.0.7
    # via
    #   -r /awx_devel/requirements/requirements.in
    #   adal
@ -163,7 +161,7 @@ frozenlist==1.3.3
    #   aiosignal
 gitdb==4.0.10
    # via gitpython
-gitpython==3.1.32
+gitpython==3.1.42
    # via -r /awx_devel/requirements/requirements.in
 google-auth==2.14.1
    # via kubernetes
@ -216,7 +214,7 @@ jaraco-text==3.11.0
    # via
    #   irc
    #   jaraco-collections
-jinja2==3.1.2
+jinja2==3.1.3
    # via -r /awx_devel/requirements/requirements.in
 jmespath==1.0.1
    # via
@ -362,7 +360,7 @@ pyyaml==6.0.1
    #   djangorestframework-yaml
    #   kubernetes
    #   receptorctl
-receptorctl==1.4.2
+receptorctl==1.4.4
    # via -r /awx_devel/requirements/requirements.in
 redis==4.3.5
    # via -r /awx_devel/requirements/requirements.in
@ -440,7 +438,7 @@ tomli==2.0.1
    # via setuptools-scm
 twilio==7.15.3
    # via -r /awx_devel/requirements/requirements.in
-twisted[tls]==22.10.0
+twisted[tls]==23.10.0
    # via
    #   -r /awx_devel/requirements/requirements.in
    #   daphne